Overview

overview

10

Static

static

1

G3bSa3Lvws.exe

windows7-x64

3

G3bSa3Lvws.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    G3bSa3Lvws.exe

  • Size

    871KB

  • Sample

    250217-t5zcfa1py6

  • MD5

    1274eda47fd05cc033704d7a27ad5011

  • SHA1

    3c044be6ffec482f9c19da77821783bb79138293

  • SHA256

    80d10d106196d93d19a754478ac3f903f79e1a046e346844eb7f635982b26d96

  • SHA512

    452f7ce1e93c6f040cc280432802c06369302097c514820c8bce652b0e1bef460d49bade9a65cd56e7d894fd4fc5b46aeac836c4a31543c301abd11dcb33981a

  • SSDEEP

    12288:2EL2wlOrnQHCMdVBkPxEs/+xJmeCFupq7goZzQ53nhvrsPRk65XAIWyqz++uxMCC:CjnHxFuM7gouhvIPnXLxPIEwp

Score
10/10
vidaradwarecredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      G3bSa3Lvws.exe

    • Size

      871KB

    • MD5

      1274eda47fd05cc033704d7a27ad5011

    • SHA1

      3c044be6ffec482f9c19da77821783bb79138293

    • SHA256

      80d10d106196d93d19a754478ac3f903f79e1a046e346844eb7f635982b26d96

    • SHA512

      452f7ce1e93c6f040cc280432802c06369302097c514820c8bce652b0e1bef460d49bade9a65cd56e7d894fd4fc5b46aeac836c4a31543c301abd11dcb33981a

    • SSDEEP

      12288:2EL2wlOrnQHCMdVBkPxEs/+xJmeCFupq7goZzQ53nhvrsPRk65XAIWyqz++uxMCC:CjnHxFuM7gouhvIPnXLxPIEwp

    Score
    10/10
    discoveryvidaradwarecredential_accesspersistenceprivilege_escalationspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks